kadmin remote as a regular user

Andrew Holway andrew.holway at gmail.com
Tue Mar 31 08:00:40 EDT 2015


Hi Rainer,

Are you perhaps looking for kinit?

Thanks,

Andrew

On 31 March 2015 at 13:56, Rainer Krienke <krienke at uni-koblenz.de> wrote:

> Hello,
>
> I would like to achieve the following. A particular user say "john" logs
> in at a linux system or authenticates in apache against kerberos.
> Now I would like to allow this user "john" to run kadmin commands
> without entering any additional other password.
>
> I first thought that kadmin is like a service and exported the principal
> admin/admin to a keytab file which I copied to a remote system. On this
> system I was then able to call
>
> $ kadmin -k -t /etc/krb5.keytab -p admin/admin
> Authenticating as principal admin/admin with keytab /etc/krb5.keytab.
> kadmin: getprincs
> ...
>
> However this does not work the way I expected. Now I can even destroy
> the user ticket of john with kdestroy -c /tmp/krb5cc_1234 that john got
> when logging into the system and kadmin still works.
>
> What I wanted is that kadmin only works when a particular user has
> logged in and has authenticated against kerberos. Now any user that
> could log in into the system would be able to run kadmin if he has acces
> to the keytab file.
>
> So after all what I want is kerberos based single sign on for kadmin usage.
>
> Any idea how to configure this?
>
> Thanks
> Rainer
> --
> Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
> 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287
> 1312
> PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
> 1001312
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>


More information about the Kerberos mailing list